lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <BAY106-F25527C3E76C0FF1AEB100294300@phx.gbl>
Date: Thu Dec 22 17:16:57 2005
From: wilder_jeff at msn.com (wilder_jeff Wilder)
Subject: Broadcast storm in my network/ any ideas


All,

I have a Windows 2000 terminal server that is consistantly sending out 
broadcasts to 255.255.255.255:111... below is a capture from a snort box I 
have running. In the last 18 hours I have had about 2000 packets from this 
box to this address about every 30 seconds.  Snort reports the signature as 
a RPC portmap proxy attempt UDP.  I have not been able to find much 
information on this event.  I have run a current AV scan against the box, it 
did come up clean.  Can anyone give me a bit of direction as to these 
events?

-Jeff

RPC portmap proxy attempt UDP  10.74.32.31:3300/udp    
255.255.255.255:111/udp 07:50:35
RPC portmap proxy attempt UDP  10.74.32.31:3291/udp    
255.255.255.255:111/udp 07:50:05

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ